640a39669277a32fca4ebc639493a81aa5bdfdbd09587b48d59a6fcce65f1700

Analysis

max time kernel
138s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FL_Studio_21.2.3_Build_4004.exe
Size

987.8MB
MD5

69a586f5beb04b717624879e01104ec2
SHA1

7d779dc7713fda36250817ef776ffb2c468fb142
SHA256

640a39669277a32fca4ebc639493a81aa5bdfdbd09587b48d59a6fcce65f1700
SHA512

b93d63681a1b35f0e1494b7c9217b4ee3c690db8383d524d289554e0a2a1d0a8b7fd21a68c6a65de6f01c823d3bb233b72836dd2f7d0f1a6f94e4953896bac06
SSDEEP

25165824:ZuQ6hGbitDF718x3unBPnEDXxrQSLP41V4sVvqXMu4HvwS:H3bitDFxKXx8SLodgMx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	FL_Studio_21.2.3_Build_4004.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	FL.Studio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4656	FL.Studio.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4656	2932	FL_Studio_21.2.3_Build_4004.exe	96
PID 2932 wrote to memory of 4656	2932	FL_Studio_21.2.3_Build_4004.exe	96
PID 2932 wrote to memory of 4656	2932	FL_Studio_21.2.3_Build_4004.exe	96

C:\Users\Admin\AppData\Local\Temp\FL_Studio_21.2.3_Build_4004.exe
"C:\Users\Admin\AppData\Local\Temp\FL_Studio_21.2.3_Build_4004.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
623.9MB

MD5
71b94cf3651ee4c5ceaa50ef341a82a6

SHA1
320327c3daba0f9f2c7690d2ad3116a2dbb9a59f

SHA256
2bb8fd59999cbc4a6064c81384c0c3a97d73d80c0a710be9aaf3d5eda1884fef

SHA512
4d5e6b1e5c18507a39a6c535c593c72e1c320930291c09aaa3257facd7c1ddba3766e264a4b7b88a61afe28e17c6f60b82969f95442896f472419f673de18e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
611.2MB

MD5
fec77c3c58474582bb45d77bc638cbb1

SHA1
900f10ddbdf06525d6e185ed204439c0e7eee874

SHA256
a085eaf4916e92069870202597394842ee1ac28789e58327f324d4f2139cd2ba

SHA512
a2cf911c32aa23e9a4b0ba0685db2c9dfc29440f1e55342db5ea23a82f34f7714540a7dc18b62b2744d8570e6e21b16a8adf0a13b222bf237e102649fcb31a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
829.1MB

MD5
0ebea480e66c87ab22efd97aa3b4d686

SHA1
4dc64e1805d364ec5bb54b297da50ba299772962

SHA256
d12199543e459523837d466d799abd2b33ab32b1ff87e64599ca80908ee41b46

SHA512
255f293303266242bcaf515ee88187861a40be031a1c746ddc7dde9f4a7cf403025d8c1c1b31b93b62f24541fdb6241b0ff88326573f1ad13a551bd11b340cf3

Download Submit